[Swan-dev] ipsecme-split-dns
Antony Antony
antony at phenome.org
Wed Dec 13 17:33:59 UTC 2017
may be too late to apply a revert.
the code diverged now, since my last e-mail, with 8b7a22dd82a836
If you apply now, you may have to revert 8b7a22dd82a836 too.
-antony
On Wed, Dec 13, 2017 at 06:22:01PM +0100, Antony Antony wrote:
> On Wed, Dec 13, 2017 at 11:47:03AM -0500, Paul Wouters wrote:
> > On Wed, 13 Dec 2017, Antony Antony wrote:
> >
> > > I wonder why not revert the accident first? and comeback when you mean to.
> > > that is my preference. Then there is a clear path, accident revert!
> >
> > Can you undo a merge commit atomically? the man page isn't looking
> > promising:
>
> not automatically! not using single command either. However, creating a diff
> and applying it soon after the accident seems easy to do. As there are more
> commits on the top single patch may get harder.
>
> Here is one patch that revert everything that came through the merge.
> A functional revert is easy, just one diff for the entire merge.
>
> A side effect is individual commits will not have a corresponding revert
> and the future merge... you have create them again from the master.
>
> > And /usr/share/doc/git-1.8.3.1/howto/revert-a-faulty-merge.txt makes it
> > look even less of a good idea to revert the merge?
>
> what do you think one patch idea?
>
> -antony
> From b4afd19f13cf33bda929c8d33200c7975fb5d4a4 Mon Sep 17 00:00:00 2001
> From: Antony Antony <antony at phenome.org>
> Date: Wed, 13 Dec 2017 18:05:02 +0100
> Subject: [PATCH] Reverts 2b7ad4446c350cd0245b3bbc73980a7a4ee6ef6e
>
> Merge branch 'ipsecme-split-dns'
> ---
> include/ietf_constants.h | 4 +-
> include/ipsecconf/confread.h | 2 -
> include/ipsecconf/keywords.h | 2 -
> include/whack.h | 2 -
> lib/libipsecconf/confread.c | 6 ---
> lib/libipsecconf/keywords.c | 3 --
> lib/libipsecconf/starterwhack.c | 5 ---
> lib/libswan/constants.c | 7 +---
> lib/libwhack/whacklib.c | 4 --
> programs/pluto/connections.c | 13 ------
> programs/pluto/connections.h | 2 -
> programs/pluto/ikev2.h | 2 +-
> programs/pluto/ikev2_child.c | 89 +++++++++++------------------------------
> programs/pluto/ikev2_parent.c | 72 +++++----------------------------
> programs/pluto/state.h | 1 -
> programs/whack/whack.c | 18 ---------
> 16 files changed, 38 insertions(+), 194 deletions(-)
>
> diff --git a/include/ietf_constants.h b/include/ietf_constants.h
> index 3979f09df..e6092e9aa 100644
> --- a/include/ietf_constants.h
> +++ b/include/ietf_constants.h
> @@ -1206,9 +1206,7 @@ enum ikev2_cp_attribute_type {
> IKEv2_P_CSCF_IP6_ADDRESS = 21,
> IKEv2_FTT_KAT = 22,
> IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO = 23,
> - IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK = 24,
> - IKEv2_INTERNAL_DNS_DOMAIN = 25,
> - /* IKEv2_INTERNAL_DNSSEC_TA = 26 expected */
> + IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK = 24
> };
>
>
> diff --git a/include/ipsecconf/confread.h b/include/ipsecconf/confread.h
> index 049a5cecc..85d11c143 100644
> --- a/include/ipsecconf/confread.h
> +++ b/include/ipsecconf/confread.h
> @@ -109,8 +109,6 @@ struct starter_conn {
> char *modecfg_dns2;
> char *modecfg_domain;
> char *modecfg_banner;
> - char *internal_domain1;
> - char *internal_domain2;
> char *policy_label;
> char *conn_mark_both;
> char *conn_mark_in;
> diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h
> index 99f44f055..758701aff 100644
> --- a/include/ipsecconf/keywords.h
> +++ b/include/ipsecconf/keywords.h
> @@ -196,8 +196,6 @@ enum keyword_string_conn_field {
> KSCF_MODECFGDNS1,
> KSCF_MODECFGDNS2,
> KSCF_MODECFGDOMAIN,
> - KSCF_INTERNALDOMAIN1,
> - KSCF_INTERNALDOMAIN2,
> KSCF_MODECFGBANNER,
> KSCF_IKE,
> KSCF_ESP,
> diff --git a/include/whack.h b/include/whack.h
> index c8eb98475..91c8fd244 100644
> --- a/include/whack.h
> +++ b/include/whack.h
> @@ -305,8 +305,6 @@ struct whack_message {
> ip_address modecfg_dns2;
> char *modecfg_domain;
> char *modecfg_banner;
> - char *internal_domain1;
> - char *internal_domain2;
>
> char *conn_mark_both;
> char *conn_mark_in;
> diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
> index cd7bd5004..5527ea0c3 100644
> --- a/lib/libipsecconf/confread.c
> +++ b/lib/libipsecconf/confread.c
> @@ -1238,8 +1238,6 @@ static bool load_conn(
> str_to_conn(modecfg_dns1, KSCF_MODECFGDNS1);
> str_to_conn(modecfg_dns2, KSCF_MODECFGDNS2);
> str_to_conn(modecfg_domain, KSCF_MODECFGDOMAIN);
> - str_to_conn(internal_domain1, KSCF_INTERNALDOMAIN1);
> - str_to_conn(internal_domain2, KSCF_INTERNALDOMAIN2);
> str_to_conn(modecfg_banner, KSCF_MODECFGBANNER);
>
> str_to_conn(conn_mark_both, KSCF_CONN_MARK_BOTH);
> @@ -1411,8 +1409,6 @@ static void conn_default(struct starter_conn *conn,
>
> conn->modecfg_dns1 = clone_str(def->modecfg_dns1, "conn default dns1");
> conn->modecfg_dns2 = clone_str(def->modecfg_dns2, "conn default dns2");
> - conn->internal_domain1 = clone_str(def->internal_domain1, "conn default internal-domain1");
> - conn->internal_domain2 = clone_str(def->internal_domain2, "conn default internal-domain2");
> conn->modecfg_domain = clone_str(def->modecfg_domain, "conn default domain");
> conn->modecfg_banner = clone_str(def->modecfg_banner, "conn default banner");
> conn->conn_mark_both = clone_str(def->conn_mark_both, "conn default conn_mark_both");
> @@ -1570,8 +1566,6 @@ static void confread_free_conn(struct starter_conn *conn)
>
> pfreeany(conn->modecfg_dns1);
> pfreeany(conn->modecfg_dns2);
> - pfreeany(conn->internal_domain1);
> - pfreeany(conn->internal_domain2);
>
> pfreeany(conn->left.virt);
> pfreeany(conn->right.virt);
> diff --git a/lib/libipsecconf/keywords.c b/lib/libipsecconf/keywords.c
> index a9cd32707..ff869f128 100644
> --- a/lib/libipsecconf/keywords.c
> +++ b/lib/libipsecconf/keywords.c
> @@ -587,9 +587,6 @@ const struct keyword_def ipsec_conf_keywords[] = {
> { "modecfgdns1", kv_conn, kt_string, KSCF_MODECFGDNS1, NULL, NULL, },
> { "modecfgdns2", kv_conn, kt_string, KSCF_MODECFGDNS2, NULL, NULL, },
>
> - { "internaldomain1", kv_conn, kt_string, KSCF_INTERNALDOMAIN1, NULL, NULL },
> - { "internaldomain2", kv_conn, kt_string, KSCF_INTERNALDOMAIN2, NULL, NULL },
> -
> { "modecfgdomain", kv_conn, kt_string, KSCF_MODECFGDOMAIN, NULL, NULL, },
> { "modecfgbanner", kv_conn, kt_string, KSCF_MODECFGBANNER, NULL, NULL, },
> { "mark", kv_conn, kt_string, KSCF_CONN_MARK_BOTH, NULL, NULL, },
> diff --git a/lib/libipsecconf/starterwhack.c b/lib/libipsecconf/starterwhack.c
> index d019a63da..5fd002eff 100644
> --- a/lib/libipsecconf/starterwhack.c
> +++ b/lib/libipsecconf/starterwhack.c
> @@ -672,9 +672,6 @@ static int starter_whack_basic_add_conn(struct starter_config *cfg,
> starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" modecfgbanner=%s",
> conn->name, msg.modecfg_banner);
>
> - msg.internal_domain1 = conn->internal_domain1;
> - msg.internal_domain2 = conn->internal_domain2;
> -
> msg.conn_mark_both = conn->conn_mark_both;
> starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" mark=%s",
> conn->name, msg.conn_mark_both);
> @@ -715,8 +712,6 @@ static int starter_whack_basic_add_conn(struct starter_config *cfg,
> "Ignoring modecfgdns2= entry, it is not a valid IPv4 or IPv6 address");
> }
>
> - /* add sanity check for internal_dns / internal_domain */
> -
> set_whack_end("left", &msg.left, &conn->left);
> set_whack_end("right", &msg.right, &conn->right);
>
> diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c
> index d98979b7b..118bdcae4 100644
> --- a/lib/libswan/constants.c
> +++ b/lib/libswan/constants.c
> @@ -1362,15 +1362,12 @@ static const char *const ikev2_cp_attribute_type_name[] = {
> "IKEv2_P_CSCF_IP6_ADDRESS",
> "IKEv2_FTT_KAT",
> "IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO", /* 3gpp */
> - "IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK", /* 3gpp */
> - "IKEv2_INTERNAL_DNS_DOMAIN", /* draft-pauly-ipsecme-split-dns-01 */
> - /* "IKEv2_INTERNAL_DNSSEC_TA", expected draft-pauly-ipsecme-split-dns-01 */
> + "IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK" /* 3gpp */
> };
>
> enum_names ikev2_cp_attribute_type_names = {
> IKEv2_CP_ATTR_RESERVED,
> - /* IKEv2_INTERNAL_DNSSEC_TA, */
> - IKEv2_INTERNAL_DNS_DOMAIN,
> + IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK,
> ARRAY_REF(ikev2_cp_attribute_type_name),
> NULL, /* prefix */
> NULL
> diff --git a/lib/libwhack/whacklib.c b/lib/libwhack/whacklib.c
> index 1974772ca..70205afe4 100644
> --- a/lib/libwhack/whacklib.c
> +++ b/lib/libwhack/whacklib.c
> @@ -134,8 +134,6 @@ err_t pack_whack_msg(struct whackpacker *wp)
> !pack_str(wp, &wp->msg->conn_mark_in) || /* string 31 */
> !pack_str(wp, &wp->msg->conn_mark_out) || /* string 32 */
> !pack_str(wp, &wp->msg->vti_iface) || /* string 33 */
> - !pack_str(wp, &wp->msg->internal_domain1) || /* string 34 */
> - !pack_str(wp, &wp->msg->internal_domain2) || /* string 35 */
> !pack_str(wp, &wp->msg->remote_host) || /* string 33 */
> wp->str_roof - wp->str_next < (ptrdiff_t)wp->msg->keyval.len) /* key */
> {
> @@ -204,8 +202,6 @@ err_t unpack_whack_msg(struct whackpacker *wp)
> !unpack_str(wp, &wp->msg->conn_mark_in) || /* string 31 */
> !unpack_str(wp, &wp->msg->conn_mark_out) || /* string 32 */
> !unpack_str(wp, &wp->msg->vti_iface) || /* string 33 */
> - !unpack_str(wp, &wp->msg->internal_domain1) || /* string 34 */
> - !unpack_str(wp, &wp->msg->internal_domain2) || /* string 35 */
> !unpack_str(wp, &wp->msg->remote_host) || /* string 33 */
> wp->str_roof - wp->str_next != (ptrdiff_t)wp->msg->keyval.len)
> {
> diff --git a/programs/pluto/connections.c b/programs/pluto/connections.c
> index 6d8e6fa4f..e0d8d798c 100644
> --- a/programs/pluto/connections.c
> +++ b/programs/pluto/connections.c
> @@ -790,10 +790,6 @@ static void unshare_connection(struct connection *c)
> "connection cisco_dns_info");
> c->modecfg_domain = clone_str(c->modecfg_domain,
> "connection modecfg_domain");
> - c->internal_domain1 = clone_str(c->internal_domain1,
> - "connection internal domain1");
> - c->internal_domain2 = clone_str(c->internal_domain2,
> - "connection internal domain1");
> c->modecfg_banner = clone_str(c->modecfg_banner,
> "connection modecfg_banner");
> #ifdef HAVE_LABELED_IPSEC
> @@ -1666,8 +1662,6 @@ void add_connection(const struct whack_message *wm)
>
> c->modecfg_dns1 = wm->modecfg_dns1;
> c->modecfg_dns2 = wm->modecfg_dns2;
> - c->internal_domain1 = wm->internal_domain1;
> - c->internal_domain2 = wm->internal_domain2;
> c->modecfg_domain = wm->modecfg_domain;
> c->modecfg_banner = wm->modecfg_banner;
>
> @@ -4046,13 +4040,6 @@ static void show_one_sr(const struct connection *c,
>
> #undef COMBO
>
> - whack_log(RC_COMMENT,
> - "\"%s\"%s: internal domain1:%s, domain2:%s;",
> - c->name, instance,
> - c->internal_domain1,
> - c->internal_domain2
> - );
> -
> if (c->modecfg_banner != NULL) {
> whack_log(RC_COMMENT, "\"%s\"%s: banner:%s;",
> c->name, instance, c->modecfg_banner);
> diff --git a/programs/pluto/connections.h b/programs/pluto/connections.h
> index 1b75ec3f3..88aa5a2c0 100644
> --- a/programs/pluto/connections.h
> +++ b/programs/pluto/connections.h
> @@ -332,8 +332,6 @@ struct connection {
> char *cisco_dns_info; /* scratchpad for writing IP addresses */
> char *modecfg_domain;
> char *modecfg_banner;
> - char *internal_domain1;
> - char *internal_domain2;
>
> u_int8_t metric; /* metric for tunnel routes */
> u_int16_t connmtu; /* mtu for tunnel routes */
> diff --git a/programs/pluto/ikev2.h b/programs/pluto/ikev2.h
> index 489123841..2961593c8 100644
> --- a/programs/pluto/ikev2.h
> +++ b/programs/pluto/ikev2.h
> @@ -248,7 +248,7 @@ extern bool ship_v2N(enum next_payload_types_ikev2 np,
> extern deltatime_t ikev2_replace_delay(struct state *st, enum event_type *pkind,
> enum original_role role);
>
> -stf_status ikev2_send_cp(struct state *st, enum next_payload_types_ikev2 np,
> +stf_status ikev2_send_cp(struct connection *c, enum next_payload_types_ikev2 np,
> pb_stream *outpbs);
>
> bool ikev2_parse_cp_r_body(struct payload_digest *cp_pd, struct state *st);
> diff --git a/programs/pluto/ikev2_child.c b/programs/pluto/ikev2_child.c
> index 8b994c901..6934cae70 100644
> --- a/programs/pluto/ikev2_child.c
> +++ b/programs/pluto/ikev2_child.c
> @@ -1002,7 +1002,7 @@ stf_status ikev2_child_sa_respond(struct msg_digest *md,
> if (c->spd.that.has_lease &&
> md->chain[ISAKMP_NEXT_v2CP] != NULL &&
> cst->st_state != STATE_V2_REKEY_IKE_R) {
> - ikev2_send_cp(pst, ISAKMP_NEXT_v2SA, outpbs);
> + ikev2_send_cp(c, ISAKMP_NEXT_v2SA, outpbs);
> } else if (md->chain[ISAKMP_NEXT_v2CP] != NULL) {
> DBG(DBG_CONTROL, DBG_log("#%lu %s ignoring unexpected v2CP payload",
> cst->st_serialno,
> @@ -1182,17 +1182,15 @@ stf_status ikev2_child_sa_respond(struct msg_digest *md,
> return STF_OK;
> }
>
> -static bool ikev2_set_dns(pb_stream *cp_a_pbs, struct state *st, int af)
> +static bool ikev2_set_dns(pb_stream *cp_a_pbs, struct state *st)
> {
> ip_address ip;
> char ip_str[ADDRTOT_BUF];
> struct connection *c = st->st_connection;
> - err_t ugh = initaddr(cp_a_pbs->cur, pbs_left(cp_a_pbs), af, &ip);
> - bool responder = (st->st_state != STATE_PARENT_I2);
> + err_t ugh = initaddr(cp_a_pbs->cur, pbs_left(cp_a_pbs), AF_INET, &ip);
>
> - if ((ugh != NULL && st->st_state == STATE_PARENT_I2)) {
> - libreswan_log("ERROR INTERNAL_IP%s_DNS malformed: %s",
> - af == AF_INET ? "4" : "6", ugh);
> + if (ugh != NULL) {
> + libreswan_log("ERROR INTERNAL_IP4_DNS malformed: %s", ugh);
> return FALSE;
> }
>
> @@ -1206,15 +1204,6 @@ static bool ikev2_set_dns(pb_stream *cp_a_pbs, struct state *st, int af)
> libreswan_log("received INTERNAL_IP4_DNS %s",
> ip_str);
>
> - if (c->policy & POLICY_OPPORTUNISTIC) {
> - libreswan_log("ignored INTERNAL_IP4_DNS CP payload for Opportunistic IPsec");
> - return TRUE;
> - }
> - if (responder) {
> - libreswan_log("responder INTERNAL_IP4_DNS CP ignored");
> - return TRUE;
> - }
> -
> char *old = c->cisco_dns_info;
>
> if (old == NULL) {
> @@ -1238,30 +1227,27 @@ static bool ikev2_set_dns(pb_stream *cp_a_pbs, struct state *st, int af)
> return TRUE;
> }
>
> -static bool ikev2_set_ia(pb_stream *cp_a_pbs, struct state *st, int af)
> +static bool ikev2_set_ia(pb_stream *cp_a_pbs, struct state *st)
> {
> ip_address ip;
> ipstr_buf ip_str;
> struct connection *c = st->st_connection;
> - err_t ugh = initaddr(cp_a_pbs->cur, pbs_left(cp_a_pbs), af, &ip);
> - bool responder = st->st_state != STATE_PARENT_I2;
> + err_t ugh = initaddr(cp_a_pbs->cur, pbs_left(cp_a_pbs), AF_INET, &ip);
>
> - if ((ugh != NULL && st->st_state == STATE_PARENT_I2) || isanyaddr(&ip)) {
> - libreswan_log("ERROR INTERNAL_IP%s_ADDRESS malformed: %s",
> - af == AF_INET ? "4" : "6",
> - ugh == NULL ? ipstr(&ip, &ip_str) : ugh);
> + if (ugh != NULL) {
> + libreswan_log("ERROR INTERNAL_IP4_ADDRESS malformed: %s", ugh);
> return FALSE;
> }
>
> - libreswan_log("received INTERNAL_IP%s_ADDRESS %s",
> - af == AF_INET ? "4" : "6",
> - ipstr(&ip, &ip_str));
> -
> - if (responder) {
> - libreswan_log("responder CP ignored");
> - return TRUE;
> + if (isanyaddr(&ip)) {
> + libreswan_log("ERROR INTERNAL_IP4_ADDRESS %s is invalid",
> + ipstr(&ip, &ip_str));
> + return FALSE;
> }
>
> + libreswan_log("received INTERNAL_IP4_ADDRESS %s",
> + ipstr(&ip, &ip_str));
> +
> c->spd.this.has_client = TRUE;
> c->spd.this.has_internal_address = TRUE;
>
> @@ -1271,16 +1257,12 @@ static bool ikev2_set_ia(pb_stream *cp_a_pbs, struct state *st, int af)
> if (sameaddr(&c->spd.this.client.addr, &ip)) {
> /* The address we received is same as this side
> * should we also check the host_srcip */
> - DBG(DBG_CONTROL, DBG_log("#%lu %s[%lu] received NTERNAL_IP%s_ADDRESS which is same as this.client.addr %s. Will not add CAT iptable rules",
> + DBG(DBG_CONTROL, DBG_log("#%lu %s[%lu] received NTERNAL_IP4_ADDRESS which is same as this.client.addr %s. Will not add CAT iptable rules",
> st->st_serialno, c->name, c->instance_serial,
> - af == AF_INET ? "4" : "6",
> ipstr(&ip, &ip_str)));
> } else {
> c->spd.this.client.addr = ip;
> - if (af == AF_INET)
> - c->spd.this.client.maskbits = 32;
> - else
> - c->spd.this.client.maskbits = 128;
> + c->spd.this.client.maskbits = 32;
> st->st_ts_this = ikev2_end_to_ts(&c->spd.this);
> c->spd.this.has_cat = TRUE; /* create iptable entry */
> }
> @@ -1308,17 +1290,11 @@ bool ikev2_parse_cp_r_body(struct payload_digest *cp_pd, struct state *st)
> DBG(DBG_CONTROLMORE, DBG_log("#%lu %s[%lu] parsing ISAKMP_NEXT_v2CP payload",
> st->st_serialno, c->name, c->instance_serial));
>
> - if (st->st_state == STATE_PARENT_I2 && cp->isacp_type != IKEv2_CP_CFG_REPLY) {
> + if (cp->isacp_type != IKEv2_CP_CFG_REPLY) {
> loglog(RC_LOG_SERIOUS, "ERROR expected IKEv2_CP_CFG_REPLY got a %s",
> enum_name(&ikev2_cp_type_names,cp->isacp_type));
> return FALSE;
> }
> - if (st->st_state == STATE_PARENT_R1 && cp->isacp_type != IKEv2_CP_CFG_REQUEST) {
> - libreswan_log("ERROR expected IKEv2_CP_CFG_REQUEST got a %s",
> - enum_name(&ikev2_cp_type_names,cp->isacp_type));
> - return FALSE;
> - }
> -
> while (pbs_left(attrs) > 0) {
> struct ikev2_cp_attribute cp_a;
> pb_stream cp_a_pbs;
> @@ -1330,38 +1306,19 @@ bool ikev2_parse_cp_r_body(struct payload_digest *cp_pd, struct state *st)
> }
>
> switch (cp_a.type) {
> - case IKEv2_INTERNAL_IP4_ADDRESS | ISAKMP_ATTR_AF_TLV:
> - if (!ikev2_set_ia(&cp_a_pbs, st, AF_INET)) {
> + case INTERNAL_IP4_ADDRESS | ISAKMP_ATTR_AF_TLV:
> + if (!ikev2_set_ia(&cp_a_pbs, st)) {
> loglog(RC_LOG_SERIOUS, "ERROR malformed INTERNAL_IP4_ADDRESS attribute");
> return FALSE;
> }
> break;
>
> - case IKEv2_INTERNAL_IP4_DNS | ISAKMP_ATTR_AF_TLV:
> - if (!ikev2_set_dns(&cp_a_pbs, st, AF_INET)) {
> + case INTERNAL_IP4_DNS | ISAKMP_ATTR_AF_TLV:
> + if (!ikev2_set_dns(&cp_a_pbs, st)) {
> loglog(RC_LOG_SERIOUS, "ERROR malformed INTERNAL_IP4_DNS attribute");
> return FALSE;
> }
> break;
> -
> - case IKEv2_INTERNAL_IP6_ADDRESS | ISAKMP_ATTR_AF_TLV:
> - if (!ikev2_set_ia(&cp_a_pbs, st, AF_INET6)) {
> - loglog(RC_LOG_SERIOUS, "ERROR malformed INTERNAL_IP6_ADDRESS attribute");
> - return FALSE;
> - }
> - break;
> -
> - case IKEv2_INTERNAL_IP6_DNS | ISAKMP_ATTR_AF_TLV:
> - if (!ikev2_set_dns(&cp_a_pbs, st, AF_INET6)) {
> - loglog(RC_LOG_SERIOUS, "ERROR malformed INTERNAL_IP6_DNS attribute");
> - return FALSE;
> - }
> - break;
> - case IKEv2_INTERNAL_DNS_DOMAIN | ISAKMP_ATTR_AF_TLV:
> - /* ignore their values for now - just note support */
> - libreswan_log("received INTERNAL_DNS_DOMAIN (content ignored)");
> - st->st_seen_internal_domain = TRUE;
> - break;
> default:
> libreswan_log("unknown attribute %s length %u",
> enum_name(&ikev2_cp_attribute_type_names,
> diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c
> index d5da8e904..d9031bf5e 100644
> --- a/programs/pluto/ikev2_parent.c
> +++ b/programs/pluto/ikev2_parent.c
> @@ -2639,37 +2639,11 @@ static stf_status ikev2_ship_cp_attr_ip4(u_int16_t type, ip_address *ip4,
> return STF_OK;
> }
>
> -static stf_status ikev2_ship_cp_attr_str(u_int16_t type, char *str,
> - const char *story, pb_stream *outpbs)
> -{
> - struct ikev2_cp_attribute attr;
> - pb_stream a_pbs;
> -
> - attr.type = type;
> - if (str == NULL)
> - attr.len = 0;
> - else
> - attr.len = strlen(str);
> -
> - if (!out_struct(&attr, &ikev2_cp_attribute_desc, outpbs,
> - &a_pbs))
> - return STF_INTERNAL_ERROR;
> -
> - if (attr.len > 0) {
> - if (!out_raw(str, attr.len, &a_pbs, story))
> - return STF_INTERNAL_ERROR;
> - }
> -
> - close_output_pbs(&a_pbs);
> - return STF_OK;
> -}
> -
> -stf_status ikev2_send_cp(struct state *st, enum next_payload_types_ikev2 np,
> +stf_status ikev2_send_cp(struct connection *c, enum next_payload_types_ikev2 np,
> pb_stream *outpbs)
> {
> struct ikev2_cp cp;
> pb_stream cp_pbs;
> - struct connection *c = st->st_connection;
> bool cfg_reply = c->spd.that.has_lease;
>
> DBG(DBG_CONTROLMORE, DBG_log("Send Configuration Payload %s ",
> @@ -2682,11 +2656,11 @@ stf_status ikev2_send_cp(struct state *st, enum next_payload_types_ikev2 np,
> if (!out_struct(&cp, &ikev2_cp_desc, outpbs, &cp_pbs))
> return STF_INTERNAL_ERROR;
>
> - if (cfg_reply) {
> - ikev2_ship_cp_attr_ip4(IKEv2_INTERNAL_IP4_ADDRESS,
> - &c->spd.that.client.addr,
> + ikev2_ship_cp_attr_ip4(IKEv2_INTERNAL_IP4_ADDRESS,
> + cfg_reply ? &c->spd.that.client.addr : NULL,
> "IPV4 Address", &cp_pbs);
>
> + if (cfg_reply) {
> if (!isanyaddr(&c->modecfg_dns1)) {
> ikev2_ship_cp_attr_ip4(IKEv2_INTERNAL_IP4_DNS, &c->modecfg_dns1,
> "DNS 1", &cp_pbs);
> @@ -2696,19 +2670,9 @@ stf_status ikev2_send_cp(struct state *st, enum next_payload_types_ikev2 np,
> "DNS 2", &cp_pbs);
> }
> } else {
> - ikev2_ship_cp_attr_ip4(IKEv2_INTERNAL_IP4_ADDRESS,
> - NULL, "IPV4 Address", &cp_pbs);
> ikev2_ship_cp_attr_ip4(IKEv2_INTERNAL_IP4_DNS, NULL, "DNS", &cp_pbs);
> }
>
> - if (st->st_seen_internal_domain) {
> - /* configured means sent by server or requested limitation by client */
> - ikev2_ship_cp_attr_str(IKEv2_INTERNAL_DNS_DOMAIN, c->internal_domain1,
> - "INTERNAL DOMAIN 1", &cp_pbs);
> - ikev2_ship_cp_attr_str(IKEv2_INTERNAL_DNS_DOMAIN, c->internal_domain2,
> - "INTERNAL DOMAIN 2", &cp_pbs);
> - }
> -
> close_output_pbs(&cp_pbs);
>
> return STF_OK;
> @@ -2985,16 +2949,18 @@ static stf_status ikev2_record_fragments(struct msg_digest *md,
> static int ikev2_np_cp_or_sa(struct connection *const pc, int np, const lset_t
> st_nat_traversal)
> {
> + int rnp = np;
> +
> if (pc->spd.this.modecfg_client) {
> if (pc->spd.this.cat) {
> if (LHAS(st_nat_traversal, NATED_HOST)) {
> - return ISAKMP_NEXT_v2CP;
> + rnp = ISAKMP_NEXT_v2CP;
> }
> } else {
> - return ISAKMP_NEXT_v2CP;
> + rnp = ISAKMP_NEXT_v2CP;
> }
> }
> - return np;
> + return rnp;
> }
>
> static stf_status ikev2_parent_inR1outI2_tail(
> @@ -3238,7 +3204,7 @@ static stf_status ikev2_parent_inR1outI2_tail(
> }
>
> if (send_cp_r == ISAKMP_NEXT_v2CP) {
> - stf_status cpstat = ikev2_send_cp(pst, ISAKMP_NEXT_v2SA,
> + stf_status cpstat = ikev2_send_cp(pc, ISAKMP_NEXT_v2SA,
> &e_pbs_cipher);
>
> if (cpstat != STF_OK)
> @@ -3322,7 +3288,7 @@ static stf_status ikev2_parent_inR1outI2_tail(
> }
>
> if (cc->send_no_esp_tfc) {
> - if (!ship_v2N( (cc->internal_domain1 != NULL) ? ISAKMP_NEXT_v2CP : ISAKMP_NEXT_v2NONE,
> + if (!ship_v2N(ISAKMP_NEXT_v2NONE,
> ISAKMP_PAYLOAD_NONCRITICAL,
> PROTO_v2_RESERVED,
> &empty_chunk,
> @@ -3330,14 +3296,6 @@ static stf_status ikev2_parent_inR1outI2_tail(
> &e_pbs_cipher))
> return STF_INTERNAL_ERROR;
> }
> -
> -
> - /* send CP payload */
> - if (cc->internal_domain1 != NULL) {
> - ikev2_send_cp(pst, ISAKMP_NEXT_v2NONE, &e_pbs_cipher);
> - }
> -
> -
> }
>
> const unsigned int len = pbs_offset(&e_pbs_cipher);
> @@ -3601,14 +3559,6 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md)
> ikev2_decode_cr(md);
> }
>
> - /* process CP payloads */
> - if (md->chain[ISAKMP_NEXT_v2CP] != NULL) {
> - if (!ikev2_parse_cp_r_body(md->chain[ISAKMP_NEXT_v2CP], st))
> - {
> - return STF_FAIL + v2N_NO_PROPOSAL_CHOSEN;
> - }
> - }
> -
> /* process AUTH payload */
>
> enum keyword_authby that_authby = st->st_connection->spd.that.authby;
> diff --git a/programs/pluto/state.h b/programs/pluto/state.h
> index ca8fcbbb5..0a6330feb 100644
> --- a/programs/pluto/state.h
> +++ b/programs/pluto/state.h
> @@ -569,7 +569,6 @@ struct state {
> bool st_seen_fragments; /* did we receive ike fragments from peer, if so use them in return as well */
> bool st_seen_no_tfc; /* did we receive ESP_TFC_PADDING_NOT_SUPPORTED */
> bool st_seen_use_transport; /* did we receive USE_TRANSPORT_MODE */
> - bool st_seen_internal_domain; /* did we receive CP IKEv2_INTERNAL_DNS_DOMAIN */
> generalName_t *st_requested_ca; /* collected certificate requests */
> u_int8_t st_reply_xchg;
> };
> diff --git a/programs/whack/whack.c b/programs/whack/whack.c
> index 8171527aa..a547af0b6 100644
> --- a/programs/whack/whack.c
> +++ b/programs/whack/whack.c
> @@ -123,8 +123,6 @@ static void help(void)
> " [--addresspool <network range>] \\\n"
> " [--modecfgdns1 <ip-address>] [--modecfgdns2 <ip-address>] \\\n"
> " [--modecfgdomain <dns-domain>] \\\n"
> - " [--internaldomain1 <dns-domain>] \\\n"
> - " [--internaldomain2 <dns-domain>] \\\n"
> " [--modecfgbanner <login banner>] \\\n"
> " [--metric <metric>] \\\n"
> " [--nflog-group <groupnum>] \\\n"
> @@ -375,8 +373,6 @@ enum option_enums {
>
> CD_MODECFGDNS1,
> CD_MODECFGDNS2,
> - CD_INTERNALDOMAIN1,
> - CD_INTERNALDOMAIN2,
> CD_MODECFGDOMAIN,
> CD_MODECFGBANNER,
> CD_METRIC,
> @@ -642,8 +638,6 @@ static const struct option long_opts[] = {
> { "addresspool", required_argument, NULL, END_ADDRESSPOOL + OO },
> { "modecfgdns1", required_argument, NULL, CD_MODECFGDNS1 + OO },
> { "modecfgdns2", required_argument, NULL, CD_MODECFGDNS2 + OO },
> - { "internaldomain1", required_argument, NULL, CD_INTERNALDOMAIN1 + OO },
> - { "internaldomain2", required_argument, NULL, CD_INTERNALDOMAIN2 + OO },
> { "modecfgdomain", required_argument, NULL, CD_MODECFGDOMAIN + OO },
> { "modecfgbanner", required_argument, NULL, CD_MODECFGBANNER + OO },
> { "modeconfigserver", no_argument, NULL, END_MODECFGSERVER + OO },
> @@ -899,8 +893,6 @@ int main(int argc, char **argv)
> msg.xauthfail = XAUTHFAIL_HARD;
> msg.modecfg_domain = NULL;
> msg.modecfg_banner = NULL;
> - msg.internal_domain1 = NULL;
> - msg.internal_domain2 = NULL;
>
> msg.nic_offload = nic_offload_auto;
> msg.sa_ike_life_seconds = deltatime(IKE_SA_LIFETIME_DEFAULT);
> @@ -1887,16 +1879,6 @@ int main(int argc, char **argv)
> &msg.modecfg_dns2), optarg);
> continue;
>
> - case CD_INTERNALDOMAIN1: /* --internaldomain1 */
> - msg.internal_domain1 = strdup(optarg);
> - fprintf(stderr, "whack: --internaldomain1 %s", optarg);
> - continue;
> -
> - case CD_INTERNALDOMAIN2: /* --internaldomain2 */
> - fprintf(stderr, "whack: --internaldomain2 %s", optarg);
> - msg.internal_domain2 = strdup(optarg);
> - continue;
> -
> case CD_MODECFGDOMAIN: /* --modecfgdomain */
> msg.modecfg_domain = strdup(optarg);
> continue;
> --
> 2.13.6
>
More information about the Swan-dev
mailing list